Hi [[ session.user.profile.firstName ]]

組み込み機器がクラウドと繋がることの 課題と基本的な対策

この数年、ネットワークに接続したパソコンやサーバーだけでなく、事務機器や医療機器などでのサイバーセキュリティ事故についてのニュースが報道されるようになってきました。ネットワークに繋がる組み込み機器の代表的な構成とその変遷、機器だけではなく関連するサービスを含めたビジネスモデルの変化に伴い、セキュリティリスクが増大しています。
開発者だけでなく経営者の観点からも見逃せない気になるデータを参照しながら、安全や品質対策の観点とセキュリティ対策の観点とのギャップを整理しつつ、ギャップを埋めるために有用なソフトウェアやシステムを検証するための手法や技術、検証の実践方法について議論します。

主な内容
- 組み込み機器の構成や提供サービスの変遷とセキュリティリスクの整理
- 安全でセキュアな製品の開発と検証に有用な手法や技術とその実践方法
- シノプシスが提供するセキュアな製品開発のためのツールと利用例
- Q&A
Recorded Jun 3 2020 62 mins
Your place is confirmed,
we'll send you email reminders
Presented by
日本シノプシス合同会社 ソフトウェア インテグリティ グループ シニアプロダクトマーケティングマネージャ 松岡正人、シニアセールスエンジニア 中野哲也
Presentation preview: 組み込み機器がクラウドと繋がることの 課題と基本的な対策
  • Channel
  • Channel profile
  • Developing a COVID-19 track and trace app – through the lens of Synopsys Jul 30 2020 11:00 am UTC 45 mins
    Ian Ashworth and Bhavin Shah
    Adversaries continuously evolve their behaviours and defenders must respond accordingly. Governments around the world are striving to supplement manual tracing efforts with the adoption of a "Track and Trace" mobile application to help prevent further spread of COVID-19 and regain healthy levels of economic activity. In this short interactive session, Synopsys will discuss the topic as seen through their "security eyes" and with some key takeaways:

    •How to develop applications at speed and remain security-aware?
    •What security measures are considered essential when building any mobile application?
    •Where is your data being recorded and used? Does this feel too much like Big Brother is watching your every move?
    •How can Synopsys support you through your own software development lifecycle?

    This session will run for 35 minutes followed by a 10-minute Q&A session.
  • Your Developers Aren’t Security Experts - But They Can Be With the Right Tools Jul 30 2020 8:00 am UTC 51 mins
    Patrick Carey, Director Product Marketing, Synopsys and Sandy Carielli, Principal Analyst, Forrester Research, Inc.
    Securing your applications is critical, but maintaining release velocity and developer productivity is just as important. Let’s face it: Developers aren’t security experts. They unwittingly introduce security weaknesses and vulnerable open source components into your applications, and they’re ultimately responsible for fixing any issues that surface. But what if you could equip developers with the tools and information they need to prevent security issues from ever making it into your codebase, without creating unnecessary friction or slowing them down?

    Join guest presenter Sandy Carielli, Principal Analyst, Forrester Research, Inc., and Patrick Carey, Synopsys, as they discuss the benefits of IDE-based security testing and the role developers can play in securing your applications.
  • Software Is Manufacturing Jul 29 2020 5:00 pm UTC 60 mins
    Jonathan Knudsen, Technical Marketing Manager, Synopsys
    Modern software is assembled rather than written. Developers usually select third-party open source software components that provide useful chunks of functionality, then write some code to glue everything together into a complete product. Each software component carries its own risk, which means that managing the supply chain of components is crucial to minimizing overall risk.
    Software components carry three types of risk. Known vulnerabilities in software components can be directly absorbed in a software product. Component licenses can be incompatible with a product’s license model. Finally, components can present operational risks.
    Left unchecked, software supply chain risks can result in consequences that range from irritating to catastrophic. All product development processes should include automated software supply chain management integrated into the development toolchain.
    This webinar describes the current landscape of open source adoption and shows how managing the software supply chain results in products that are safer, more secure, and lower risk.
  • Binary Scanning 101: Pulling back the covers on binaries Jul 28 2020 3:30 pm UTC 60 mins
    Lisa Bryngelson
    Organizations across every industry increasingly rely on open source software to form the foundation of the products and technologies they deliver to the market. So you can assume that the third-party commercial software you depend on from supply chain partners and outsourcers also uses open source as its backbone. The challenge is deciding whether to trust that your vendors are managing potential open source security vulnerabilities proactively or to verify for yourself that the open source embedded in the software you procure remains up to date and secure. The latter, what we refer to as “trust but verify,” requires tools that can look inside compiled binaries to ensure the whole of your application is secure.

    Join Lisa Bryngelson, senior product manager at Synopsys, as she pulls back the covers on how Black Duck tackles binary scanning. In this webinar, she’ll discuss:

    · Binary scanning basics and best practices

    · How binary scanning works

    · The different types of binary scanning and identification techniques

    · The challenges in detecting specific components or versions

    · How developers can make it easier for scanners to produce accurate and precise results
  • Secure your "Dev" and "Ops" Pipeline with Synopsys and Red Hat Jul 28 2020 5:00 am UTC 57 mins
    Gautam Baghel, Global Technical Alliances, Synopsys and Dave Meurer, Partner Solutions Architect
    Synopsys and Red Hat team up once again to bring you the best in class solution to secure your "Dev" & "Ops" pipeline without compromising speed. Red Hat Openshift's secure-by-design platform provides operations teams with an out of the box secure Kubernetes deployment and Synopsys application security tools ensure development teams build secure applications and images with high quality. Combining the capabilities of Red Hat and Synopsys together is key in making sure that deployed applications are less susceptible to attacks.

    Join the experts from Red Hat and Synopsys as they present and demonstrate:
    * Augmenting Red Hat's secure-by-design OpenShift platform
    * Consolidating Containerized Application Security Perspectives
    * Integrating Synopsys’ Application Security testing (AST) solutions into Tekton-based OpenShift Pipelines
    * Application and Host Container Security with CoreOS, Quay & Black Duck
    * Reducing false positives by combining Security feeds with OVAL, RHSA and BDSA
  • Implementing SAST into your SDLC: What to look for & what to consider Jul 22 2020 8:00 am UTC 60 mins
    Rob Haines, Senior Sales Engineer, Synopsys
    So you’ve decided (or been told) that you need to implement SAST in your software development process. This webinar will cover some of the things you should consider when looking for a solution and how to implement it. SAST is not a one size fits all solution and implementation can often be a compromise between technology, time, process and people. Especially the people.

    We will cover what you should look for in a tool, considerations about implementations and the importance of process in making sure that you get a good return on your investment and of course high quality and more secure software. We will look at common objections and pitfalls that occur during this type of project.
  • Remote Security Testing & Training: Busting Myths and Offering Solutions Jul 15 2020 3:30 pm UTC 62 mins
    Sandesh Mysore Anand, Managing Consultant at Synopsys and Rakshitha R Rao, Security Consultant at Synopsys
    While digital transformation and BYOD have allowed many IT activities to occur remotely, many enterprises still prefer to perform security testing on-site. Concerns about data security, network/application accessibility, assessment quality and project management have discouraged teams from making the leap. In this webinar, we leverage lessons learned from many years of delivering Managed Application Security Services to provide guidelines on addressing these concerns and offer solutions on how to conduct remote security testing and security training.
  • Secure Automotive Software Development in the Age of ISO/SAE 21434 Jul 15 2020 8:30 am UTC 72 mins
    Dr. Dennis Kengo Oka, Principal Automotive Security Strategist, Synopsys
    Modern vehicles run on software containing more than 150 million lines of code. As a result of more advanced safety-relevant functionality, such as ADAS and autonomous driving, as well as new communication interfaces, mobile apps, and back-end servers based on connected car use cases, the need for developing secure systems in the automotive industry is higher than ever. A draft of the new cyber security standard ISO/SAE 21434 was recently released to help automotive companies address cyber security for the entire vehicle life cycle.

    This talk presents cyber security activities in the software development process based on ISO/SAE 21434 to help automotive companies develop more secure systems. We’ll provide examples of what is required from a resources and tools perspective to ensure an efficient and practical implementation of the various cyber security steps in the development process.
  • Maximizing the Impact of Static Analysis Jul 14 2020 5:00 pm UTC 60 mins
    Meera Rao, Senior Principal Consultant, Synopsys
    Static analysis, also known as white box testing, static application security testing (SAST), or secure code review, finds bugs in application code, back doors, and other code-based vulnerabilities so you can mitigate those risks. But no static analysis tool can effectively address threats to a development environment out of the box. And many users have the misconception that the cost of tool adoption depends primarily on getting the tool working in a build environment.

    Static analysis is the only way to enable developers to automatically identify vulnerabilities as they write code in their integrated development environment (IDE). With SAST, developers can:
    •Run scans in their IDE by using plugins that provide just-in-time security guidance.
    •Review source code before checking it into a version control repository.
    •Remediate identified vulnerabilities.
    •Adopt a preventative mindset.

    Automation is an important part of adopting a SAST tool, as it drives efficiency, consistency, and early detection, enabling organizations to shift left. For a static analysis implementation to be effective, several distinct activities must come together to establish and maximize its impact. This webinar covers some challenges of SAST implementation and provides real solutions to get the most value out of SAST tools.
  • Find More Bugs by Detecting Failure Better Recorded: Jul 7 2020 54 mins
    Jonathan Knudsen, Technical Marketing Manager, Synopsys
    Software can fail in many ways, including process crashes, infinite loops, memory leaks, data leakage, corruption, unexpected behavior, and more. Part of the challenge of fuzz testing is accurately detecting when failure occurs.

    The Defensics fuzzer uses various types of instrumentation to detect failures. A spectrum of instrumentation techniques is available, ranging from simple black box approaches that can catch process crashes and hangs, to deeper types of instrumentation that can detect subtler failure modes.

    This webinar describes the instrumentation techniques that are built into Defensics. You’ll learn how Defensics makes it easy to detect a wide variety of software failures, how Defensics can be extended to any type of instrumentation you can imagine, and how an agent framework makes it easy to detect failures by running specialized agents alongside your software target.
  • アウトソーシングのソフトウェア開発で、品質を確実・効率よく向上させる静的解析Coverityの活用 Recorded: Jul 1 2020 72 mins
    日本シノプシス合同会社 ソフトウェア インテグリティ グループ シニアセールスエンジニア 佐藤大樹
    多くのソフトウェア開発プロジェクトが、複数の企業や所属の異なるエンジニアにより成り立っていますが、納期やリソースに制限のある中で品質の高い成果物を確実に、効率よく開発することは大きな課題です。

    静的解析Coverityはバグの検出精度の高さ/誤検知率の低さや品質の数値化/見える化等の機能により、国内外の組み込み機器や企業利用のアプリケーション開発プロジェクトにおいて採用されている、信頼性の高い静的解析ツールです。

    このセミナーでは、開発現場および管理者の各視点でソフトウェアの品質を向上させるための機能にフォーカスしながら、デモを中心に静的解析Coverityの活用方法とメリットを紹介します。

    主な内容
    - 静的解析Coverityが検出できるバグ・セキュリティ上の問題
    - 開発者が効率的にバグやセキュリティ上の問題を修正するための機能デモ
    - 管理者がソフトウェア全体の品質をコントロールするための機能デモ
    - Q&A
  • 5 Steps to Integrate SAST into the DevSecOps Pipeline Recorded: Jun 25 2020 60 mins
    Meera Rao, Senior Principal Consultant, Synopsys
    Even software with a solid architecture and design can harbor vulnerabilities, whether due to mistakes or shortcuts. But limited security staff don’t have the resources to perform code reviews and provide remediation guidance on the entire application portfolio. Static analysis, also known as static application security testing (SAST), is an automated way to find bugs, back doors, and other code-based vulnerabilities so the team can mitigate those risks.

    First, though, you must choose a static analysis model that fits your needs. You might have questions such as these:
    - How do I manage false positives?
    - How do I triage the results?
    - What happens to new issues identified?
    - My scan takes hours to complete. How can I use this tool in my DevSecOps pipeline?
    - What is a “baseline scan”?

    Join us as we walk you through the challenges and benefits of integrating a SAST tool into your DevSecOps pipeline and how we’ve helped other organizations with this process.
  • ポスト・コロナ、ニューノーマル時代の製造業のための新しいソフトウェア開発手法 Recorded: Jun 24 2020 61 mins
    日本シノプシス合同会社 ソフトウェア インテグリティ グループ シニアプロダクトマーケティングマネージャ 松岡正人、セキュリティ・コンサルティング マネージング・プリンシパル 大森 健史
    新型コロナウィルスの感染拡大によってソフトウェア開発は大きな課題を突きつけられています。
    人との接触を避けて感染リスクを抑えるため、例えば実機を使った開発や検証などの機会はさらに限定的なものになるかもしれません。
    そうした中でも品質の高い成果物を限られた納期で開発するための手法を確立する必要があります。

    そのヒントとなるものは、従来から進められていたオフショア開発やコミュニティによるOSS開発などにも見出すことができます。
    品質の見える化、遠隔利用や自動化などのテクノロジーも進んでいます。

    そこで、新たな時代のソフトウェア開発に求められる要件を整理しつつ、既存の技術などを組み合わせることで、
    どの様に感染リスクを低減しながら、効果的にソフトウェア開発を推進できるかについて議論します。

    主な内容
    - ポスト・コロナ、ニューノーマル時代のソフトウェア開発に求められる新たな要件
    - オフショアやコミュニティによる開発から得られた知見、新たな技術をどの様に組み合わせられるか
    - シノプシスがご提案・お手伝いできること
    - Q&A
  • The DoS goes loop-di-loop Recorded: Jun 23 2020 51 mins
    Allon Mureinik, Senior Manager, Synopsys
    Do you know the common ways Node.js applications may be vulnerable to denial-of-service attacks?

    The single-threaded nature of Node.js makes it very susceptible to DoS attacks. While the Node.js event loop allows you to perform some operations asynchronously, it’s still quite easy to write a vulnerable Node.js application by making a few simple mistakes.

    In this talk I’ll cover some common ways a Node.js application may be vulnerable to DoS attacks and some common best practices and countermeasures to defend against such attacks.
  • ご質問回答編 : Webアプリのセキュリティ・テスト、DASTや手動テストの課題とその解決手法 (IASTのご紹介) Recorded: Jun 19 2020 60 mins
    日本シノプシス合同会社 ソフトウェア インテグリティ グループ シニアセールスエンジニア 川原翔
    CI/CDやDevOpsのプロセスにセキュリティ・テストを組み込む、DASTや脆弱性診断に代わる新たな手法としてIASTがあります。
    5月にIAST解説セミナーを開催しましたが、その際に大変多くのご質問を承り、残念ながらお時間等の関係ですべてにお答えすることができませんでした。

    そこで、頂いたご質問に対し改めて回答させていただき、さらにIASTに対する理解を深めていただくセッションを開催させていただきます。前回のセミナーにご参加いただけなかった方もご参加いただけます。また、先日リリースされた最新バージョン「2020.06」での機能追加についても簡単に紹介いたします。

    主なご質問など
    - DASTに比べてIAST Seekerの誤検知が少なくなる理由
    - IASTを使いこなすには有償サービスなどが必須か
    - 検出した不具合のソースコードにおける行指定など、どこまで見えるか
    - 当日さらに追加でのQ&A

    * 前回セミナーの内容は録画版(約60分)としていつでもご参照いただけます。ぜひ合わせて事前にご確認ください。
    講演資料PDFはプレゼン画面下のAttachmentからダウンロードいただけます。
    https://www.brighttalk.com/webcast/13983/402408
  • Do Design Quality and Code Quality Matter in M&A Tech Due Diligence? Recorded: Jun 18 2020 46 mins
    Phil Odence, GM, Synopsys & Daniel Sturtevant, CEO and Co-founder, Silverthread
    (Spoiler alert: Yes.)

    In an acquisition where a software asset is a core part of the deal valuation, it’s important to understand the overall quality of the software before doing the deal. Buggy software is problematic and needs to be cleaned up, so assessing code quality is important. But also, with poorly designed software, every fix is costly, laborious, and risky. The cost of fixes can significantly affect the long-term technical and economic viability of the application, and maintaining the software can seriously degrade ROI. That’s why understanding a software system’s design and architectural health and the likely “cost of ownership” is key.

    Join us for this lwebinar to learn how to paint a complete picture of the technical quality of software to avoid buyer’s remorse post-close. We’ll cover:

    •The dimensions of technical due diligence
    •The difference between design quality and code quality
    •How software architecture can have a long-term impact
    •What to look for in software design and code quality audits

    Don’t miss this informative webinar. Register today.
  • Shifting Left to Accelerate Security Approvals for ATOs in Defense Programs Recorded: Jun 17 2020 57 mins
    Joe Jarzombek, Director for Government & Critical Infrastructure Programs
    Demands for more secure software and more rapid application development have led to the emergence of risk-based DevSecOps, which adds security activities, increases depth, and improves testing governance. The best strategy is to shift from a reactive to a proactive security approach that injects security at the right time and place with automated continuous testing. Arming developers with proven application security tools integrated within their supporting CI/CD toolchains reduces the time and effort needed to achieve authorization for changes in software to operate on a DOD network or weapon system. Key technologies such as static application security testing (SAST) and software composition analysis (SCA) help developers deliver high-quality and more secure codebases in the front end of the pipeline. Mitigating technical debt early in the software development life cycle (SDLC) provides significant cost savings while accelerating the delivery of more secure software.

    Join Joe Jarzombek (USAF Lt. Col., retired) as he discusses means for successfully scaling responsiveness with a secure SDLC. He will cover how:

    •Automated continuous testing can be used throughout the SDLC
    •Catching security defects at the desktop can be like using a spell-checker to drive savings while rapidly mitigating risks attributable to exploitable software
    •Developer productivity can provide more time for creating new features rather than fixing newly entered issues

    Don’t miss this informative webinar. Register today
  • AUTOSARの今後とコーディング規約との向き合い方 Recorded: Jun 17 2020 59 mins
    日本シノプシス合同会社 ソフトウェアインテグリティグループ シニアソリューションアーキテクト 岡デニス健五、シニアセールスエンジニア 勝岡宣彦
    車載ソフトウェア開発においてMISRAやAUTOSARのコーディング規約への対応は大きな課題ですが、目検でのソースコードレビューなど開発現場にとって非常に大きな負担にもなっています。サプライチェーンをベースにしたソフトウェア開発体制において、AUTOSARの目指すところや規約との向き合い方を関係者がともに理解し、納得できる形でコーディング規約を活用することは、安全でセキュアなソフトウェアをより効率的に開発するうえで欠かせません。

    また安全でセキュアなソフトウェアを開発するためには、コーディング規約に則るだけではなく、不具合や脆弱性の原因となるリスクをいかにコントロールするかがより重要です。

    そこで、C++のコーディング規約を切り口にAUTOSARやMISRAの位置づけ、今後の展望と、静的解析ツールCoverityを使って効率的にコーディング規約と向き合い、安全でセキュアなソフトウェアを効率的に開発する方法について解説いたします。

    主な内容
    - C++を切り口にしたMISRAやAUTOSARの変遷と今後
    - AUTOSARコーディング規約を効率的に活用して安全でセキュアなソフトウェアを開発する方法
    - 静的解析CoverityのFinding Manager機能のデモ
  • Bridging the Security Testing Gap in Your CI/CD Pipeline Recorded: Jun 16 2020 43 mins
    Asma Zubair, Product Mgmt Mgr, Sr Staff, Synopsys and Kimm Yeo, Product Marketing Mgr, Staff, Synopsys
    Are you struggling with application security testing? Do you wish it were easier, faster, and better? Join us to learn more about Seeker, a modern interactive application security testing tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
    - Run in the background and report vulnerabilities during functional tests, integrated QA, and CI/CD activities.
    - Auto-verify, prioritize, and triage vulnerability findings in real time with 100% confidence.
    - Fully automate secure app development, testing, and delivery, without the need for extra security scans or processes.
    - Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.
  • 商用ソフトウェア資産に含まれるOSSとそのリスクの現状 - 2020年版レポートに基づく分析と提言 Recorded: Jun 10 2020 66 mins
    日本シノプシス合同会社 ソフトウェア インテグリティ グループ シニアセールスエンジニア 吉井雅人
    シノプシスのオープンソース・セキュリティ&リスク分析レポート2020年版は、
    世界中のエンタープライズ企業、医療、金融、通信インフラ等の17業種、1,250を超える商用のコードベースに含まれるOSSを監査した結果から得られたOSSの利用状況とリスクの現状と分析をまとめたレポートの最新版です。

    ソフトウェア開発や商用ソフトウェアでのOSS利用は急速に拡大しており、保有資産に含まれるOSSとリスクの把握は益々大きな課題になっています。

    最新版レポートをベースにOSS利用とリスクの現状の整理、管理の方法と課題、シノプシスが提案する確実で効率的な管理を実施する方法を紹介するセミナーを実施します。

    主な内容
    - 今多く使われるOSSの傾向と、脆弱性やライセンスのリスクの現状解説
    - OSSとそのリスクを適切に管理するための手法と課題の整理
    - シノプシスが提案する確実・効率的にOSSを管理する方法
    - Q&A
Build secure, high-quality software faster.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: 組み込み機器がクラウドと繋がることの 課題と基本的な対策
  • Live at: Jun 3 2020 6:30 am
  • Presented by: 日本シノプシス合同会社 ソフトウェア インテグリティ グループ シニアプロダクトマーケティングマネージャ 松岡正人、シニアセールスエンジニア 中野哲也
  • From:
Your email has been sent.
or close